What’s Inside ANY.RUN’s Cyber Threat Intelligence Feeds?

ANY.RUN’s Menace Intelligence (TI) feeds current a helpful decision for organizations in quest of to detect and mitigate the newest malware and phishing campaigns, assaults, and cybercriminal methods.

Nonetheless what exactly is inside these feeds, and the way in which can they help firms strengthen their cybersecurity?

Let’s dive into the details.

What Are ANY.RUN’s Menace Intelligence Feeds?

ANY.RUN’s Menace Intelligence (TI) feeds are an entire assortment of Indicators of Compromise (IOCs) that will develop security packages’ danger detection capabilities. These feeds don’t merely present the basics, they go deep, providing malicious IPs, URLs, domains, file hashes, and even hyperlinks to express analysis courses, displaying you the way in which threats behave.

The place does this information come from? A world neighborhood of over 500,000 researchers and cybersecurity execs who add and analyze real-world malware and phishing samples on day by day foundation to ANY.RUN’s Public submissions repository.

With TI Feeds from ANY.RUN, organizations can:

• Broaden Menace Safety: Lengthen your security packages’ potential to detect rising malware and phishing assaults.
• Improve Incident Response: Enrich incident response processes with contextual data from the feeds, providing deeper insights into threats and their behaviors.
• Strengthen Security Posture: Assure proactive safety in opposition to new and evolving threats.
• Optimize Menace Looking out: Streamline danger looking out actions, determining and investigating potential threats additional successfully.

Key Choices of ANY.RUN’s CTI Feeds

Proper right here’s what makes ANY.RUN’s CTI feeds useful for cybersecurity teams:

• Modern Data: Embody data extracted from the newest public samples uploaded to our interactive sandbox by a world neighborhood of over 500,000 security professionals.
• Actionable Indicators: Present indicators from decompressed guests, memory dumps, and malware configurations along with these manually collected by our workforce of malware analysts, along with data from companions and OSINT sources.
• Contextual Information: Provide additional than merely IOCs by providing direct hyperlinks to full sandbox analysis courses that embody memory dumps, neighborhood guests, and events.
• Rigorous Pre-Processing: Use superior algorithms and proprietary experience for data filtering and validation.
• Regular Updates: Updated every few hours, serving to security teams preserve ahead of rising threats and reply quickly to new threats.
• STIX and MISP Formats: Ship danger intelligence feeds inside the STIX and MISP codecs, making it simple for security teams to mix our data into their current infrastructure.
• API Assist: Mix into current security packages by means of API for real-time danger updates and computerized responses.

What’s Inside ANY.RUN’s CTI Feeds?

The IOCs embody information on malicious IP addresses, domains, and URLs, enriched with contextual particulars paying homage to related recordsdata and ports. Proper right here’s a extra in-depth take a look at what’s inside:

IP addresses

IP addresses are important for detecting and stopping malicious neighborhood train. They perform digital markers of cybercriminal operations, usually linked to Command-and-Administration (C2) servers or phishing campaigns.

By analyzing IP addresses, cybersecurity teams can:

• Set up malicious sources: Pinpoint harmful guests and proactively block it.
• Trace assault origins: Obtain insights into the geolocation and methods of attackers.
• Monitor danger patterns: Detect repeated use of IPs all through campaigns.
• Enhance neighborhood security: Use IP-based firewalls and intrusion prevention packages (IPS) to dam undesirable guests.

Occasion:

sort: ipv4-addr
      id: ipv4-addr--75725b48-17a3-575d-a5de-b5d9798bde8d
      value: 103.168.67.9
      created: '2024-06-13T06:26:00.704Z'
      modified: '2024-06-13T06:26:00.704Z'
      external_references:
        - source_name: ANY.RUN exercise 11ce507f-d535-4bf1-8973-989d7654017a
          url: https://app.any.run/duties/11ce507f-d535-4bf1-8973-989d7654017a
      labels:
        - RedLine
      related_objects:
        - relationship_type: includes
          source_ref: ipv4-addr--75725b48-17a3-575d-a5de-b5d9798bde8d
          target_ref: file--49ef9153-94eb-5d05-bac2-19a54738afab
      created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
      ranking: 90
      revoked: false

ANY.RUN’s TI feeds don’t merely document malicious IPs. They provide detailed context that turns raw data into actionable insights for cybersecurity teams. This enriched information helps assess the conduct and impression of each IP. Proper right here’s what’s usually included:

• Exterior references: Hyperlinks to associated sandbox courses.
• Label: Determine of the malware family or advertising and marketing marketing campaign.
• Detection timestamps: “Created” and “Modified” dates current a timeline to know if a danger is ongoing or historic.
• Related objects: IDs of recordsdata and neighborhood indicators related to the merchandise in question.
• Score: Price representing the severity stage of the IOC.
• Revoked: Topic indicating whether or not or not the IOC has been invalidated.

Domains

Domains play a significant place in web internet hosting malicious content material materials, phishing campaigns, and distributing malware. They’re usually used as staging components for cyberattacks, making them a key focus for danger detection and mitigation.

ANY.RUN’s TI feeds current full particulars about domains, along with all the details obtainable for IP addresses, paying homage to danger names, types, detection timestamps, and related file hashes.

Occasion:

sort: domain-name
      id: domain-name--f17dd142-08ac-54cb-bb88-97f1e07fb6fc
      value: mail.sdil.ac.ir
      created: '2024-06-10T21:13:17.465Z'
      modified: '2024-06-17T13:37:53.620Z'
      external_references:
        - source_name: ANY.RUN exercise 64e1d470-dcd4-4d78-b1f0-aa4d9bd6f225
          url: https://app.any.run/duties/64e1d470-dcd4-4d78-b1f0-aa4d9bd6f225
        - source_name: ANY.RUN exercise 090c21da-a050-4f88-bb09-1bae142df1cb
          url: https://app.any.run/duties/090c21da-a050-4f88-bb09-1bae142df1cb
      labels:
        - AgentTesla
      related_objects:
        - relationship_type: includes
          source_ref: domain-name--f17dd142-08ac-54cb-bb88-97f1e07fb6fc
          target_ref: file--dbee2af2-3be4-5e2a-9bf3-94e3fe8637b3
        - relationship_type: includes
          source_ref: domain-name--f17dd142-08ac-54cb-bb88-97f1e07fb6fc
          target_ref: file--9794dd40-085a-5c84-8d95-70cbd8efcf1d
      created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
      ranking: 100
      revoked: false

Take into consideration that domains current a higher-level view of malicious train, usually connecting quite a few IPs or malware circumstances inside a single advertising and marketing marketing campaign.

URLs

URLs play a significant place in cybercriminal operations, usually serving as gateways to distribute malware, execute phishing campaigns, or redirect clients to malicious content material materials. Their flexibility and ease of use make them a most popular gadget for attackers.

How URLs are used:

• Malware provide: Embedded in emails or websites, URLs get hold of malware or redirect to benefit from kits.
• Phishing campaigns: Lead clients to fake websites designed to steal delicate information.
• Command-and-Administration (C2): Facilitate communication between malware and attackers for issuing directions or data exfiltration.
• Exploitation and redirection: Redirect victims to malicious web sites web internet hosting drive-by downloads or exploits.

By analyzing URLs, cybersecurity teams can uncover assault patterns, block harmful guests, and forestall unauthorized entry to packages and data.

Occasion:

sort: url
      id: url--001c0f70-93f8-583d-96ce-7c260da3a193
      value: http://www.goog1evip15.com/dogw/
      created: '2024-06-11T21:35:59.640Z'
      modified: '2024-06-11T21:35:59.640Z'
      external_references:
        - source_name: ANY.RUN exercise 55051854-38c4-4d03-a70a-6dd2ce3d89ca
          url: https://app.any.run/duties/55051854-38c4-4d03-a70a-6dd2ce3d89ca
      labels:
        - Formbook
      related_objects: []
      created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
      ranking: 100
      revoked: false

Observe that URLs usually perform entry components for malicious train, performing as gateways for malware provide, phishing assaults, or redirection to benefit from kits, making them important for determining and mitigating cyber threats.

Additional Indicators in ANY.RUN’s TI Feeds

Together with the core Indicators of Compromise (IOCs) paying homage to URLs, domains, and IPs, ANY.RUN’s CTI feeds embody a wealth of contextual information.

This additional data enriches the IOCs, offering deeper insights into the character and conduct of each indicator.

Recordsdata

For file indicators, ANY.RUN’s CTI feeds current detailed information to help decide and assess malicious recordsdata. Listed beneath are the vital factor data fields included:

Occasion:

sort: file
      id: file--249382b0-209d-5904-b725-b47663c6c412
      hashes:
        SHA-256: d564eb94afb174fe3b854de086eda2a4e015d778a9aea9806e79f82044eac74e
        SHA-1: 14b96459dff641245aea6dacd34512830d945ee2
        MD5: 5edee175c5003771dea841893ea46602
      created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
      ranking: 100
      file_name: d564eb94afb174fe3b854de086eda2a4e015d778a9aea9806e79f82044eac74e.exe
    - sort: url
      id: url--d65b67ec-39f2-5309-8cc9-56e016b6a48f
      value: http://109.248.151.196/rvBZyVEAb230.bin
      created: '2024-06-11T18:44:15.898Z'
      modified: '2024-06-11T18:44:15.898Z'
      external_references:
        - source_name: ANY.RUN exercise 35d75e14-c1a2-418c-b98f-f7d58cca93cb
          url: https://app.any.run/duties/35d75e14-c1a2-418c-b98f-f7d58cca93cb
      labels:
        - guloader
      related_objects:
        - relationship_type: includes
          source_ref: url--d65b67ec-39f2-5309-8cc9-56e016b6a48f
          target_ref: file--249382b0-209d-5904-b725-b47663c6c412
      created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
      ranking: 100
      revoked: false

Ports

Port indicators describe neighborhood actions related to explicit port utilization, offering insights into malicious connections.

Occasion:

sort: port
      id: port--60027215-4cf1-5773-bef7-62051468dbd3
      port_value: 5555
      created: '2024-06-16T02:32:35.010Z'
      modified: '2024-06-16T02:32:35.010Z'
      labels:
        - NjRat
      related_objects:
        - relationship_type: corporations
          source_ref: domain-name--8ee2a029-d3e7-53f1-84fb-bee3008c0060
          target_ref: port--60027215-4cf1-5773-bef7-62051468dbd3
      created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
      ranking: 100

Mix ANY.RUN’s TI Feeds

Chances are you’ll examine ANY.RUN’s Menace Intelligence Feeds in STIX and MISP codecs absolutely without charge by getting a free demo sample proper right here.

ANY.RUN moreover runs a faithful MISP event that you’d be capable to syncronize your server with or hook up along with your security choices. To get started, contact our workforce by means of this net web page.

About ANY.RUN

ANY.RUN helps larger than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that think about every Residence home windows and Linux packages. Our danger intelligence merchandise, TI Lookup, YARA Search and Feeds, allow you to find IOCs or recordsdata to be taught additional regarding the threats and reply to incidents sooner.

Get a 14-day free trial of ANY.RUN’s Menace Intelligence service →